When Suricata 7.0.9 outputs alert logs in eve.json, how can one know which part of the packet’s keyword was matched by the rule?
It just shows the signature_id in the event_type for alert. What part specifically matched is not shown.
When Suricata 7.0.9 outputs alert logs in eve.json, how can one know which part of the packet’s keyword was matched by the rule?
It just shows the signature_id in the event_type for alert. What part specifically matched is not shown.